Leaderboard

@Gushterul Offtopic: Da. A avut o perioada pe la inceputul anului, cand nu prea s-a simtit bine, dar acum este in regula. Actualizez pe blog ce mai face, insa nu asa des ca inainte, pentru ca acum face tomografiile o data la 6 luni, nu la 3 luni ca inainte. De pe la inceputul lui 2016 am eu grija de el cu cheltuielile, asa cum este si normal, sa nu-i lipseasca vitamina C si alte lucruri care-i pot prelungi viata. Stateam si ma gandeam la o chestie: sunt persoane care s-au operat odata cu el, o singura data, nu de doua ori ca el si care intre timp nu mai sunt printre noi. Au urmat si ele acelasi tratament ca tata, insa, din pacate, nu a fost sa fie. Asta inseamna ca poate toate lucrurile alea pe care le-am discutat impreuna si le-am cumparat cu voi, baieti destepti, l-au ajutat sa fie in viata si acum. O sa va respect toata viata pentru ce ati facut pentru el si va mai multumesc inca o data acum.

UPDATE : Cont FB 2500+ prieteni Pm oferte

Nu ai ce face cu lista e plină de minori

@aelius

Author: @dronesec and @breenmachine Article: https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/ Skip to content Blog About FoxGlove Security The Team Posted onAugust 25, 2017 Abusing Token Privileges For Windows Local Privilege Escalation By @dronesec and @breenmachine This a project my friend drone <@dronesec> and I have been poking at for quite some time and are glad to finally be releasing. As the title implies, we’re going to be looking at leveraging Windows access tokens with the goal of local privilege escalation. For those familiar with some of my previous work on “Rotten Potato” this might sound familiar, however drone and I took this 10 steps further. In this post I’m simply going to be providing a summary of the work. The full article and all associated code can be found at: https://github.com/hatRiot/token-priv. This post is going to be broken into two sections, the first for penetration testers and red teamers, and the second for exploit developers. For the Red Team Like the “Rotten Potato” project, this project will be useful for penetration testing and red team scenarios where an attacker has gained access to a non-administrative service account and is looking to elevate privileges to “SYSTEM”. If you recall from the “Rotten Potato” project, in order for the original attack to work, your account needed to have the “SeImpersonatePrivilege”, or “SeAssignPrimaryPrivilege”. Drone and I decided to look at what other privileges could be abused to gain SYSTEM level access and were able to find a whole collection of them! If this is where your interest lies, feel free to skip to sections 3.1 and 3.3 of the paper linked above and take a look at the published code. Each of the modules is associated with a specific privilege and will get you SYSTEM level access or something almost as good. Here is the list of privileges that we were able to abuse: SeImpersonatePrivilege SeAssignPrimaryPrivilege SeTcbPrivilege SeBackupPrivilege SeRestorePrivilege SeCreateTokenPrivilege SeLoadDriverPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege From a penetration testing perspective, simply type “whoami /priv” at a Windows command prompt. If you have one of the above privileges, you win. It may be beneficial to hunt for specific service accounts that have these privileges. For example if you can gain access to the Backup service account, it will almost certainly have the SeBackupPrivilege and SeRestorePrivilege. Gaining access to these service accounts can be accomplished in a number of ways including the following: The service itself is compromised through some vulnerability. Typical scenarios include web application vulnerabilities which allow execution in the context of the account running IIS, and SQL injection vulnerabilities where XP_CMDSHELL can be used to run code in the context of the SQL service account. Service account credentials are leaked in some way. Kerberoast style attacks. A Kerberos ticket is requested for the target account from the domain controller. Part of this ticket is encrypted using the target account’s password hash. This can be efficiently cracked offline to yield the account password. Forcing NTLM negotiation. For example, with a backup service, if you were to force it to backup an SMB share that is served up by Responder.py. As always, you may need to be creative here. For further details, please see the paper in the GitHub repository https://github.com/hatRiot/token-priv. For the Exploit Devs This project was originally conceived by drone as a tool for exploit developers to greatly simplify the exploitation of partial write vulnerabilities. Partial write vulnerabilities are those where we can write something to a chosen location in memory, however we may not control the value being written. The idea here is to abuse the partial write to flip some bits in your users token, thus enabling one of the exploitable privileges. From this point forward, the “exploitation” of the vulnerability involves abusing intended (albeit undocumented) behavior of a series of Windows API calls. The advantage of this type of strategy for abusing partial writes is that it evades all of the new kernel exploit mitigations! Drone shows in the paper how he was able to greatly simplify the exploits for some recent partial write vulnerabilities. The other great thing is that the exploit code is completely portable. Once the right bits are flipped in the token, the exploit developer needs only to run one of the modules from our project. For further details, please see the paper in the GitHub repository https://github.com/hatRiot/token-priv.

Varianta PowerShell pentru utilizatorii Windows care nu doresc sa instaleze MareleSharpe $request = Invoke-WebRequest -Uri 'https://www.vpnbook.com/'; if( $request.StatusCode -ne 200 ) { Write-Error -Message $('Failed to access website. StatusCode ' + $request.StatusCode + ': ' + $request.StatusDescription + '.' ); break; } if( $request.RawContent -inotmatch 'username:\s+([\w\d]+)' ) { Write-Error -Message 'Failed to find username.'; break; } $username = $Matches[1]; if( $request.RawContent -inotmatch 'password:\s+([\w\d]+)' ) { Write-Error -Message 'Failed to find password.'; break; } $password = $Matches[1]; Set-Content -Path "D:\vpn_book.txt" -Force -Value $($username + "`r`n" + $password) -NoNewline -Encoding ASCII

Tare asta !

@M4T3! Nu am vandut niciodata linkuri pe blog, nici nu vand si am grija de trimiterile pe care le fac. Am doar doua site-uri in blogroll: un blogger si RST. Oferta mea: un an de zile, dofollow, index, blogroll, gratis. In semn de multumire ca l-ai ajutat pe tatal meu. Nu v-am uitat, va am in lista. Daca pot sa ajut, ajut. Daca esti de acord, da-mi un mesaj privat cu site-ul. Sunt sigur ca este in regula, insa vreau sa arunc o privire pe el, sa ma asigur eu.

Vand cont de F.B. 5000+ de prieteni creat in ianuarie 2015 in ultimele 24 de ore am primit 3000 de cereri de prietenie contu are potential maxim prieteni majoritatea romani ! P.M pe cine intereseaza !

pentru @wirtz

mai am eu niste conturi in plus, sunt cu activitate zilnica de peste un an.. iar pretul pleaca de la 10€/ cont

site-urile de filme online sunt ok recomand xmovies8.ru sau kingmovies.to , dar daca vrei sa folosesti popcorn ( preferatul meu ) cel mai bine folosesti un vpn

In romania pirartai fara probleme si n-am avut nevoie de vpn dar aici am auzit ca e serioasa treaba anyway nu voi pirata filme sau muzica dar inca o intrebare, site-uri-le cu seriale online free sau gen popcorn time sunt ok?

hcpxread is an interactive tool made to view, parse, and export .hccapx files. You can learn more about the HCCAPX format from the official docs. Long story short, Features Interactive menu Reads and outputs AP data Shows summary of the loaded access points Usage $ go get github.com/vlad-s/hcpxread $ hcpxread _ _ | |__ ___ _ ____ ___ __ ___ __ _ __| | | '_ \ / __| '_ \ \/ / '__/ _ \/ _` |/ _` | | | | | (__| |_) > <| | | __/ (_| | (_| | |_| |_|\___| .__/_/\_\_| \___|\__,_|\__,_| |_| Usage of hcpxread: -capture file The HCCAPX file to read -debug Show additional, debugging info Note: debugging will disable clearing the screen after an action. Example $ hcpxread -capture wpa.hccapx INFO[0000] Opened file for reading name=wpa.hccapx size="6.5 KB" INFO[0000] Searching for HCPX headers... INFO[0000] Finished searching for headers indexes=17 INFO[0000] Summary: 17 networks, 0 WPA/17 WPA2, 16 unique APs 1. [WPA2] XXX B0:48:7A:BF:07:A4 2. [WPA2] XXXXX 08:10:77:5B:AC:ED ... 17. [WPA2] XXXXXXXXXX 64:70:02:9E:4D:1A 99. Export 0. Exit network > 1 Key Version |ESSID |ESSID length |BSSID |Client MAC WPA2 |XXX |3 |B0:48:7A:BF:07:A4 |88:9F:FA:89:10:2E Handshake messages |EAPOL Source |AP message |STA message |Replay counter match M1 + M2 |M2 |M1 |M2 |true ... Asciicast https://asciinema.org/a/H4pUedh9z9sLHH5iZuWouxeZU Github https://github.com/vlad-s/hcpxread

Lista de prieteni alu Pomohaci o are cineva ?

Văzut

Ti-am dat Pm Pro13

Sources: https://github.com/doadam/ziVA https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/ ziVA An iOS kernel exploit designated to work on all 64-bit iOS devices <= 10.3.1 More general information https://blog.zimperium.com/zimperium-zlabs-ios-security-advisories/ https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/ Offsets modifications for other iOS devices Like a lot (if not most) of the iOS kernel exploits, this also requires offsets for each iOS device and version. Those will be posted in the close future (when I get more time) but should be acquired from AppleAVEDriver (you can get a hint on the offsets from the comments above them). Sandbox escape Like mentioned, AppleAVEDriver direct access requires sandbox escape (either mediaserverd sandbox context or no sandbox at all). Fortunately, Sandbox escape exploits have been released by P0, which means this can be used to completely compromise a kernel, and a step towards a full jailbreak. Is it a Jailbreak? This is a crucial part in a Jailbreak chain, but this never aimed to become a Jailbreak. Is this going to be a jailbreak? Maybe, if someone wants to work on that Credits Credit for finding the vulnerabilities, chaining them together, writing the exploit go to Adam Donenfeld (@doadam). Special thanks to Zuk Avraham (@ihackbanme), Yaniv Karta (@shokoluv) and the rest of the Zimperium team for the opportunity (and the paycheck). Proof of Concept: https://github.com/doadam/ziVA https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42555.zip Sursa: https://www.exploit-db.com/exploits/42555/

R is a language and environment for statistical computing and graphics. It is a GNU project which is similar to the S language and environment which was developed at Bell Laboratories (formerly AT&T, now Lucent Technologies) by John Chambers and colleagues. R can be considered as a different implementation of S. There are some important differences, but much code written for S runs unaltered under R. R provides a wide variety of statistical (linear and nonlinear modelling, classical statistical tests, time-series analysis, classification, clustering, …) and graphical techniques, and is highly extensible. The S language is often the vehicle of choice for research in statistical methodology, and R provides an Open Source route to participation in that activity. One of R’s strengths is the ease with which well-designed publication-quality plots can be produced, including mathematical symbols and formulae where needed. Great care has been taken over the defaults for the minor design choices in graphics, but the user retains full control. R is available as Free Software under the terms of the Free Software Foundation’s GNU General Public License in source code form. It compiles and runs on a wide variety of UNIX platforms and similar systems (including FreeBSD and Linux), Windows and MacOS. In this introduction to R, you will master the basics of this beautiful open source language, including factors, lists and data frames. With the knowledge gained in this course, you will be ready to undertake your first very own data analysis. With over 2 million users worldwide R is rapidly becoming the leading programming language in statistics and data science. Every year, the number of R users grows by 40% and an increasing number of organizations are using it in their day-to-day activities. Leverage the power of R by completing this free R online course today! Link: https://www.datacamp.com/courses/free-introduction-to-r?utm_source=fb_paid&utm_medium=fb_desktop&utm_campaign=fb_ppa

Dap ți-am dat pm

Mai vinde cineva conturi de FB ?

eu mi-am luat vpn de sla purevpn , merge ok il folosesc de pe linux , si am dat disable la upload , momentan dupa 6 luni nici o amenda ...

500 GB programming resources: https://drive.google.com/drive/folders/0ByWO0aO1eI_MN1BEd3VNRUZENkU

Ca orice serviciu gratuit si cel oferit de https://www.vpnbook.com/ are mici "imperfectiuni", in cazul de fata, unul din ele fiind necesitatea de a vizita site-ul in mod regulat pentru obtinerea datelor de login. Prin aceasta automatizare vom elimina acest mic dezavantaj. Se presupune ca este folosit open vpn Modificarea fisierului config (Locatie: C:\Program Files\OpenVPN\config\) - pentru utilizarea datelor de logare dintr-un fisier - in fisierul ".ovpn" vom inlocui linia: auth-user-pass cu : auth-user-pass "D:\\vpn_book.txt" Automatizare: #Python 2.7 import urllib2 import re vpn = "http://www.vpnbook.com/" response = urllib2.urlopen(vpn) data = response.read() u = re.search("Username: (\w+)<", data) if u: utilizator = u.group(1) p = re.search("Password: (\w+)<", data) if p: parola = p.group(1) with open("D:\\vpn_book.txt", "w") as login_file: login_file.write(utilizator +"\n" + parola) login_file.close() La fiecare rulare a scriptului de mai sus datele de login din fisierul d:\\vpn_book.txt for fi improspatate

Offtopic: tatal tau e ok?

https://www.it-sec-catalog.info/ Available from https://it-sec-catalog.info/ and https://www.gitbook.com/book/arthurgerkis/it-sec-catalog. About this project This is a catalog of links to articles on computer security — software and hardware analysis and vulnerability exploitation, shellcode development and security mitigations, including computer security research, and malware stuff. Slides are not included (there is other project for that). Advisories without much details are also not included. All articles are only in English. Project is running since 2010. Author and contributors Author of this project: Arthur (ax330d) Gerkis, contributors: Nitay Artenstein, Joe (j0echip) Chip. Thanks to everyone who helped with the project.

Deep Analysis of New Poison Ivy Variant by Xiaopeng Zhang | Aug 23, 2017 | Filed in: Security Research Recently, the FortiGuard Labs research team observed that a new variant of Poison Ivy was being spread through a compromised PowerPoint file. We captured a PowerPoint file named Payment_Advice.ppsx, which is in OOXML format. Once the victim opens this file using the MS PowerPoint program, the malicious code contained in the file is executed. It downloads the Poison Ivy malware onto the victim’s computer and then launches it. In this blog, I’ll show the details of how this happens, what techniques are used by this malware, as well as what it does to the victim’s computer. The PowerPoint Sample Figure 1 shows a screenshot of when the ppsx file is opened. Figure 1. Open Payment_Advice.ppsx As you can see, the ppsx file is played automatically. The “ppsx” extension stands for “PowerPoint Show,” which opens the file in presentation mode. This allows the malicious code to be executed automatically. The warning message box alerts the user that it might run an unsafe external program. Usually, the implied content of the document beguiles the user into pressing the Enable button. Let’s take a look at the malicious code embedded inside this PowerPoint file. OOXML file is a zip format file. By decompressing this file we can see the file/folder structure, shown below. Figure 2. PPSX file structure Going into its .\ppt\slides\ subfolder, slide1.xml is the slide automatically shown in Figure 1. The file “.\_rels\slide1.xml.rels” is the relationship file where the resources used in slide1.xml are defined. In slide1.xml, I found the xml code: . This means that when the user's mouse hovers over this element, something named “rId2” in slide1.xml.rels file is executed. Figure 3 shows the relationship between them. Figure 3. The code defined in “rId2” Being Added into the Startup Group The code defined in “rId2” uses an echo command of cmd.exe to output vbs codes into the Thumbs.vbs file in the “Startup” folder of the Start menu. This allows the Thumbs.vbs file to be executed when the victim’s system starts. We’ll take a look at the content of this Thumb.vbs file below. Figure 4. Thumb.vbs in the Startup folder and its content The Downloaded File Thumbs.vbs downloads a file from hxxp://203.248.116.182/images/Thumbs.bmp and runs it using msiexec.exe. As you may know, msiexec.exe is the Microsoft Windows Installer program, which is the default handler of .MSI files. Msiexec.exe can be used to install/uninstall/update software on Windows. The MSI file is an Installer Package. It contains a PE file (in a stream) that is executed when it’s loaded by msiexec.exe. This PE file could be replaced with malware to bypass any AV software detection. We have also observed that more and more malware authors have started using this method to run their malware. The MSI file is in the Microsoft OLE Compound File format. In Figure 5 we can see the downloaded Thumbs.bmp file content in the DocFile Viewer. Figure 5. The downloaded Thumb.bmp in DocFile viewer Next, I’m going to extract this PE file from the stream into a file (exported_thumbs). By checking with a PE analysis tool, we can see that it’s a 64-bit .Net program. This means that this malware only afftects 64bit Windows. Analyzing the .Net code and Running It After putting this extracted file into dnSpy to be analyzed, we can see the entry function Main(), as shown in Figure 6. Figure 6. Main function It then calls the rGHDcvkN.Exec() function in Main(), which contains a huge array. Actually, the data in the array is the code that is executed as a thread function by a newly-created thread. Figure 7 clearly shows how the code in the array is executed. Figure 7. .Net program runs a thread to execute the code in a huge array If the code is run on a 64-bit platform, IntPtr.Size is 8. So the huge array is passed to array3. It then allocates memory buffer by calling rGHDcvkN.VirtualAlloc() and copies the code from array3 into the new memory by calling Marshal.Copy(). It eventually calls rGHDcvkN.CreateThread() to run the code up. I started the .Net program in the debugger, and set a breakpoint on CreateThread API to see what the array code would do when it’s hit. Per my analysis of the array code, it is a kind of loader. Its main purpose is to dynamically load the main part of the malware code from the memory space into a newly-allocated memory buffer. It then repairs any relocation issues according to the new base address and repairs APIs’ offset for the main part code. Finally, the main code’s entry function is called. Anti-Analysis Techniques All APIs are hidden. They are restored when being called. The snippet below is the hidden CreateRemoteThread call. sub_1B0E6122 proc near mov rax, 0FFFFFFFF88E23B10h neg rax jmp rax ;; CreateRemoteThread sub_1B0E6122 endp All strings are encrypted. They are decrypted before using. For example, this is the encrypted “ntdll” string. unk_1AFD538C db 54h, 0B2h, 9Bh, 0F1h, 47h, 0Ch ; ==> "ntdll" It runs a thread (I named it ThreadFun6) to check if the API has been set as a breakpoint. If yes, it calls TerminateProcess in another thread to exit the process immediately. The thread function checks all APIs in the following modules: “ntdll”, “kernel32”, “kernelbase” and “user32”. In Figure 8, you can see how this works: Figure 8. Checking for breakpoints on exported APIs in “ntdll” It runs a thread to check if any analysis tools are running. It does this by creating specially named pipes that are created by some analysis tools. For example, “\\.\Regmon” for registry monitor tool RegMon; “\\.\FileMon” for local file monitor tool FileMon; “\\.\NTICE” for SoftIce, so on. If one of the named pipes cannot be created, it means one of the analysis tools is running. It then exits process soon thereafter. It then goes through all the running program windows to check if any windows class name contains a special string to determine if an analysis tool is running. For example, “WinDbgFrameClass” is Windbg main window’s class name. This check runs in a thread as well (I named it as Threadfun3). Below, Figure 9 shows how this thread function works. Figure 9. Check Windows’ Class Name By checking to see if the “Wireshark-is-running-{…}” named mutex object exists (by calling OpenMutex), it could implement anti-WireShark. By calling the API “IsDebuggerPresent”, it can check to see ] if this process is running in a debugger (returns with 1). It’s a kind of anti-debugging check. It also checks how much time is spent by calling IsDebuggerPresent. If the time is more than 1000ms, it means that the process runs in a debugger or VM, and it then exits the process. These are all the ways that this malware performs anti-analysis. Most of these checks run in their own threads, and are called every second. It then exits the process if any check is matched. To continue the analysis of this malware, we have to first skip these checks. We can dynamically modify its code to do so. For example, changing “IsDebuggerPresent”’s return value as 0 allows us to bypass the running-in-debugger detection. Generating A Magic String from a Decrypted String By decrypting three strings and putting them together, we get the magic string "Poison Ivy C++", which will be saved in a global variable qword_1B0E4A10. From the code snippet below you can see how it makes this string. Figure 10. Generating the magic string Hiding Key-functions in Six Different Modules It next loads several modules from its encrypted data. It creates a doubly-linked list, which is used to save and manage these loaded modules. There are many export functions from each of these modules that achieve the malware’s main work. In this way, it’s also a challenge for dynamic debugging. The variable qword_1AFE45D0 saves the header of that doubly-linked list. Each object in the list has the structure below: +00H pointer to previous object in the list +08H pointer to next object in the list +18H for Critical Section object use +28H the base address of the module this object is related to +30H pointer to export function table It then decrypts and decompresses six modules one by one, and adds each of them into the doubly-linked list. Figure 11 shows a code snippet from decrypting these six modules. Figure 11. Decrypting and decompressing modules Each module has an Initialization function (like DllMain function for Dll files) that is called once the module is completely decrypted and decompressed. Three of these modules have an anti-analysis ability similar to the one I described in the Anti-Analysis section above. So to continue the analysis of this malware, I needed to modify their codes to bypass their detection function. After that it calls the export functions of those modules. It decrypts the configuration data from the buffer at unk_1AFE3DA0. This configuration data is decrypted many times during the process running, and it tells the malware how to work. I’ll talk more about the configuration data in a later section. The malware then picks a string from the configuration data, which is “%windir%\system32\svchost.exe”. It later calls CreatProcess to run svchost.exe, and then injects some code and data from malware memory into the newly-created svchost.exe. It finally calls the injected code and exits its current process. The malware’s further work is now done in the svchost.exe side. Starting over in SVCHOST.exe Through my analysis I could see that the injected codes and data represent the entire malware. It all starts over again in the svchost.exe process. Everything I have reviewed about is repeated in svchost.exe. For example, executing the anti-analysis detection code, getting the magic string, creating a doubly-linked list, decrypting six modules and adding them into the doubly-linked list, and so on. It then goes to different code branch when executing the instruction 01736C2 cmp dword ptr [rdi+0Ch], 1 in module2. [rdi+0ch] is a flag that was passed when the entire code was initialized. When the flag is 0, it takes the code branch to run svchost.exe and inject code in it; when it’s 1, it takes the code branch to connect to the C&C server. Before the injected code in svchost.exe is executed, the flag is set to 1. Figure 12 shows the code branches. Figure 12. Snippet of code branches Obtaining the C&C Server from PasteBin The C&C server’s IP addresses and ports are encrypted and saved on the PasteBin website. PasteBin is a text code sharing website. A registered user can paste text code on it in order to share the text content to everyone. The malware author created 4 such pages, and put the C&C server IP addresses and ports there. Do you remember when I talked previously about encrypted configuration data? It contains the 4 PasteBin URLs. They are hxxps://pastebin.com/Xhpmhhuy hxxps://pastebin.com/m3TPwxQs hxxps://pastebin.com/D8A2azM8 hxxps://pastebin.com/KQAxvdvJ Figure 13 shows the decrypted configuration data. Figure 13. Decrypted configuration data If you access any one of these URLs, you will find there are normal Python codes on it. The encrypted server IP address and port are hidden in the normal python code. Let’s take a look. While looking at the main function you will find the code below: win32serviceutil.HandleCommandLine({65YbRI+gEtvlZpo0qw6CrNdWDoev}), the data between “{“ and “}”, is the encrypted IP address and port. See Figure 14 for more information. Figure 14. Encrypted C&C IP address and Port on PasteBin Let’s see what we can see after decryption in Figure 15. Figure 15. Decrypted IP address and Port From Figure 15, we can determine that the decrypted C&C server IP address is 172.104.100.53 and the Port is 1BBH i.e. 443. It should be noted that the IP addresses and Ports on the four pages are not the same. The author of this malware can update these IP addresses and Ports by simply updating the python codes on the four PasteBin pages. Communicating with the C&C server The malware starts connecting and sending data to its C&C server once it gets the IP address and Port. All the packets traveling between the malware and its server are encrypted using a private algorithm. The structure of the packet is like this: (the first 14H bytes is the header part, from 14H on is the data part) +00 4 bytes are a key for encryption or decryption. +04 4 byte, are the packet command. +0c 4 bytes is the length in bytes of the data portion of the packet. +14 4 bytes. From this point on is the real data. Once the malware has connected to the server, it first sends a “30001” command, and the server replies with command “30003”. The command “30003” requests the client to collect the victim’s system information. Once the malware receives this command, it calls tons of APIs to collect the system information. It gathers the system's current usage of both physical and virtual memory by calling GlobalmemoryStatusEx. It gets the CPU speed from the system registry from “HKLM\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0\~MHz". It gets the free disk space of all partitions by calling GetDiskFreeSpaceExA. It gets the CPU architecture by calling GetNativeSysstemInfo. It collects display settings by calling EnumDisplaySetting. It collects file information from kernel32.dll. It gets the current computer name and user name by calling GetComputerName and GetUserName. It also gets the System time by calling GetSystemTime, and the system version by calling GetVersionEx. Finally, it copies the svchost.exe’s full path and a constant string, “PasteBin83”, which is from the decrypted configuration data (see Figure 13 again). In Figure 16 you can see the collected system information before encryption. Figure 17 shows the data after encryption as it’s about to be sent to the C&C server. The first four bytes are used to encrypt or decrypt the following data. Figure 16. Collected information from the victim’s system Figure 17. Encrypted system information from victim’s system From my analysis during the malware runtime, I could determine that the malware keeps obtaining the C&C server’s IP address from PasteBin and communicating with the C&C server in an infinite loop (by calling Sleep(1000) to suspend the execution). So far, I only saw that the commands “030001” and “030003” are used. I’ll continue to monitor and analyze the malware’s behavior to see what else it will do. Solution The FortiGuard Antivirus service has detected the files "Payment_Advice.ppsx" as MSOFFICE/PoisonIvy.A!tr.dldr and "Thumbs.bmp" as MSOFFICE/PoisonIvy.A!tr. IOC URL: hxxp://203.248.116.182/images/Thumbs.bmp Sample SHA-256 hashes: Payment_Advice.ppsx E7931270A89035125E6E6655C04FEE00798C4C2D15846947E41DF6BBA36C75AE Thumbs.bmp A3E8ECF21D2A8046D385160CA7E291390E3C962A7107B06D338C357002D2C2D9 by Xiaopeng Zhang | Aug 23, 2017 | Filed in: Security Research Sursa: https://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant

Neata , Am stat o zi citind rubrica de "bine ati venit " si dupa o zi de lucru grea m-am intors acasa si sageata de la mouse parca s-a dus singura la primul post , scris de pyth0n3 si imediat mam prins in jocu' lui si chiar nu vreau sa scriu un singur rand despre mine pentru ca iubesc prea mult internetul , linux , berea , iarba , cateodata si cate-o baza de date de pe la vreun inspectorat de politie , oricat de frumoasa este viata pentru mine, viata inseamna calculator . App eu sunt draqu13 , despre nume nu am nici o descriere . El e descrierea perfecta Am avut contact cu calculatoru de pe la varsta de 7 ani tinand cont ca eu am 23 de ani , la varsta de 10 ani in 2003 am descoperit ABAC sau internet caffe unde am inceput sa ma joc MU . 11 ani mai tarziu in 2014 m-am lasat de MU pentru BLACK TRACK si acu mai am CD piratate . Sincer am 3 ani de cand sunt in kkt asta imi place , scoala nu prea am ! Momentan sunt la seral clasa a 12 si incerc sa imi termin scoala pentru a progresa. Imi doresc un viitor in IT nu vreau sa fac altceva cu viata mea . Am invatat totul de la 0 , singuru' prieten a fost youtube asa am invatat despre brutal force , sql injection , baza de date , putin html , DOSS , clonare , playload , wi-fi si cat de usor ma pot uita la tine in casa cu ajutorul webului tau . Imi place aici intre cabluri , securitate si placi de baza ! Sper sa imi fac prieteni aici de la care pot invata pentru ca am vazut ca este numa lume faina , daca ar fi dupa mine as da un cui fiecaruia dintre voi ! P.S. Hey Fuking Salut Draqu La Tastarua !

Analyzing Man-in-the-Browser (MITB) Attacks The Matrix is real and living inside your browser. How do you ask? In the form of malware that is targeting your financial institutions. Though, the machines creating this malware do not have to target the institution, rather your Internet browser. By changing what you see in the browser, the attackers now have the ability to steal any information that you enter and display whatever they choose. This has become known as the Man-in-the-Browser (MITB) attack. Download: https://www.sans.org/reading-room/whitepapers/forensics/analyzing-man-in-the-browser-mitb-attacks-35687